A financial presentation device (FPD) is a payment device that can be presented to sellers of goods or services for payment, and includes, but are not limited to, credit cards, debit cards, prepaid cards, electronic benefit cards, charge cards, virtual cards, smart cards, key chain devices, personal digital assistants, cell phones, stored value devices and the like. Conventional FPDs such as credit cards and debit cards provide convenience to customers and facilitate financial and commercial transactions. Such conventional “plastic” FPDs require the holder to carry the card and to swipe or insert the card into a card reader at the point of sale. With the widespread use of mobile communication devices such as cell phones and personal digital assistants, there has been a proposal to configure or “provision” mobile communication devices with card holder data and to adapt them for use as an FPD in lieu of conventional plastic FPDs. This would eliminate the need to carry a separate FPD, and allow financial transactions at the point of sale to be performed in a wireless (contactless) mode, for example, through near-field communications (NFC).
In the case of conventional FPDs, issuers have control over the manufacture of the FPDs, which may be done in a single batch process. In the case of mobile communication devices, however, issuers have no control over those devices as they belong to the customers themselves. As such, issuers have no convenient way to configure all of the mobile communication devices of their customers (FPD holders) to operate as FPDs since it would be burdensome for the issuers to provision the devices of all holders with required software, data and security features. To deal with this problem, issuers can turn to a third-party (‘OTA (over-the-air) providers’) to provision the mobile communication devices of their FPD holders with the software, data, and security features needed to enable the mobile communication devices as FPDs. Typically, the provisioning process requires the issuer to securely transfer to the OTA provider private FPD holder data and security keys necessary to provision the mobile device. Security keys in the context of this application are those that are used to validate card or account verification data that originates from the card or mobile communication device during a financial transaction. For example, a security key can be used to generate a dynamic card verification value which can be used to validate the card transaction.
The fact that the OTA provider has continued access to this sensitive information increases the opportunity for security breaches and the potential for counterfeit and fraudulent transactions. If it were possible to eliminate the transfer and storage of this sensitive information, the payment infrastructure would be more secure.
Moreover, the OTA provider would need to obtain permission from each mobile communication service provider to transmit data for each issuer. This is because the service providers control access to the secure chip inside the mobile communication devices. Since there are over 10,000 issuers in the U.S. alone and over 50 communication service providers, it would be a logistical challenge to negotiate the permission for each issuer from each communication service provider.
It would therefore be desirable to provide a system and method for enable a mobile communication device to operate as an FPD without releasing sensitive FPD data and security keys to a third-party OTA provider and without having to negotiate the permission for access to the mobile communication devices for all the issuers.